High-End Performance for Controlled Environments

As the number and sophistication of network attacks grow along with the amount of legitimate network traffic, the firewalls protecting an organization are getting asked to do more than simply admit/deny connections and packets.

Next-gen firewalls

"A firewall has to still open and close ports, but also do 'next generation' firewall functions like application control, looking at traffic and be able to identify the application, and other UTM [unified threat management] tasks like anti-virus, intrusion prevention, spam filtering, VPN [virtual private network], Web filtering, and WAN optimization," said Kevin Flynn, senior product marketing manager at Fortinet, a next generation firewall vendor, "For example, you may want to allow Facebook, but not allow somebody to play Mafia Wars on Facebook. "

Meanwhile, legitimate traffic keeps growing -- including latency-sensitive activity like financial transactions and real-time video. And each additional security task and increase in network traffic adds to the firewall's workload, which, in turn, adds to the system cost, decreases performance or both.

To combat this problem, Fortinet (fortinet.com), which also provides high-performance network security appliances from branch/SMB through enterprise and carrier level, recently introduced two additions to its firewall product line:

The FortiGate-5101C carrier-grade security blade, for use in the company's FortiGate-5000 systems.

The 3240C: "A faster, more affordable box"

According to Flynn, the two new products, like previous Fortinet offerings, use the same OS and offer the same features. The differences are in form factor (box vs. blade), scale (e.g., port density, overall throughput), and price, making the products a good match for "a customer who needs the same things in different places in the network, such as central and branch offices, or a distributed environment like a large chain," said Flynn.

The 2-RU-sized FortiGate-3240C appliance can provide up to 40 gigabits per seconds (Gbps) of firewall throughput, and has hardware-accelerated 10 gigabit Ethernet (GbE) ports and 16 hardware-accelerated GbE ports, which the company claims is "the highest 10 GbE port density in its class."

The 3240C also supports redundant hot-swappable power supplies.

"The FortiGate 3240C doubles what the FortiGate 1000c did," said Joel Snyder, senior partner, Opus One, a technology consulting company. "It's a nice bump up for people who need more than 20 Gbit. This is a faster, more affordable box."

The 5101C: Over 100 Gbps of IPv6

Likely buyers of the FortiGate-5101C in-chassis blades include carriers, managed service providers, and large enterprises, said Flynn. "In a cloud environment these are often used at the edge of the data center. We also have virtual machine versions of our devices that can sit on servers in a cloud or data center."

The company claims that a FortiGate-5140B chassis fully stocked with FortiGate-5101C blades can secure "over 100 Gbps of IPv6 traffic." In recent tests using the BreakingPoint FireStorm CTM, a FortiGate-5140B handled 526 Gbps of real-world traffic, e.g., nearly a quarter million average-size webpages or 10,000 iTune downloads per second, nearly three times that of published results by competing systems at the time.

"These products are IPv6-ready, and can run dual-stack [IPv6 and IPv4], making them good for carriers and large enterprises who want to ensure their network infrastructure is ready for IPv6,"said Flynn.

The intent of these new products is to give IT more granular control over network activity, including application control, without reducing throughput or performance.

According to Fortinet, the 3240C "exerts granular control over more than 1,900 discrete applications and provides real-time protection against current and emerging advanced persistent threats [APTs]."

Uses, drawbacks and concerns

As with all computer products, turning on additional software feature impacts performance -- although Fortinet claims its ASIC-based architecture degrades less than software security approaches, thus allowing more granular application control within a high-performance environment.

"Companies running a lot of multimedia, especially video, need high throughput with no security-induced latency. So do service providers and financial services with very high transaction rates. And the need for this bandwidth is very acute in very large data centers, especially when running big data applications, to connect servers to storage arrays, routers and switches," said Chris Christianson, vice president of Security Products and Services for IDC

For larger loads like data centers and carrier-class environments, "performance and throughput are considerations, you'll have to scale the box relative to the load and test it," he added

"Drawbacks are relative to individual customer applications, and each customer configuration is different," said Christianson. "So it's unfair to compare vendors in these highly customized environments."

What IT should do, advised Christianson, is "Ask vendors 'Can we benchmark? And how soon?' Also, customers need to know what the benchmark consists of, in terms of what security functions are turned on or off. Your company has to decide what specific risks you want to protect yourself from, and how important this protection is, in terms of how much you're willing to pay for the necessary performance for running the corresponding security features and what you will need 12 to 24 months from now."

Both products are available now. MSRP for the FortiGate-3240C appliance is $44,995. The FortiGate-5101C blade runs $79,995 and the 5140B stocked chassis sells for $55,995 MSRP.

Daniel P. Dern is a freelance technology writer based in Newton Center, MA. You can view his work on his website is www.dern.com. Over the years, Dan has written articles for NetworkWorld, ReadWriteWeb, Hardware Central, TechRevu, and TechTarget.